Well, here's a new one on me - Roger Karlsson has dug out a site that installs - can you believe it? - the Google Toolbar without consent, along with some other things. Check out how many Google domains it redirects - someone has it in for the Big G. A little digging of my own has found a link to some of the typical .biz hijack websites - more shocking is the flagrant way that the people behind this are trying to pass themselves of as being affiliated with Google in some official kind of capacity - when nothing could be further from the truth. Check out these screenshots (click to enlarge, so on and so forth)...

The criminal element tries to steal from Google
There’s been discussion going around about among elite antispyware security forces about Google’s Toolbar being “whacked”.

What’s happening is that some criminal gang out there is installing a hacked version of the Google Toolbar via stealth on a relatively small number of systems. Ostensibly, this is to give them the aura of legitimacy for their own nefarious means (for example, getting people to think they’re using Google, when in fact, they’re using something else).

The important question is: Why is this different than stealth installs by adware companies?

Why is this an important question? Because adware/spyware companies will inevitably point to this install as being something that makes them innocent of stealth installs that occur from their own affiliates and distributors (“you see, it’s even happened to Google, we’re all the victims of rogue distributors”, etc.). In fact, we’ve already had one adware company approach us on this issue.

Now, comes the real breakdown and detailed analysis from SpywareGuide and Chris:

The Rogue Google Toolbar: History and Variants
by Christopher Boyd, Security Research Manager, FaceTime Security Labs

Introduction

There is currently a browser hijacker in circulation which installs a fake Google Toolbar, hijacking the HOSTS file to redirect most Google domains and placing a homepage hijacker in the Temporary Internet Files folder, from which an Internet Explorer based search engine claims to be powered by Google. The bundle also includes a rogue antispyware tool, called “World Antispy”.

However – this attack, viewed out of context, does not build up a sufficient picture of the tactics / techniques used by the group responsible for the install. A press release by Panda Antivirus has covered the main features of this install here, and they had previously discovered an earlier version of this hijacker in April. Sunbelt Software also found a variant some weeks ago. But the group behind this has actually been trying to exploit Google since 2003.

Through systematic research, Facetime Security Labs have found that there are three distinct versions of this attack, each one exploiting different security vulnerabilities and installing a different payload. Here is a HJT log from September 14th, 2003. Note the Google HOSTS file hijack. Here is a discussion thread that contains the same HOSTS file hijack, from even further back – July 9th, 2003. Finally, here is one more discussion of this infection technique from September 26th, 2003.